Warning to US organizations relying on D&O insurance to cover cyber losses

In the wake of 2014’s deluge of information losses, more and more organizations are understandably fearful of incurring huge costs typically associated with data breach incidents, and are taking measures to protect themselves.

However, recent market analysis shows that the predicted increase in cyber insurance adoption in 2015 is yet to materialize. One of the main reasons for this slow uptake is the fact that, as more breaches occur, insurers are rethinking their pricing models: premiums are increasing and coverage diminishing, leading companies to look elsewhere to cover their potential losses.

Covering third-party expenses

Chamika Hand of Pinsent Masons, writing on out-law.com, notes that, while cyber insurance should cover first-party losses[i] , third-party losses[ii] are not necessarily covered, as insurers are “increasingly refining coverage limits as well as the specifics of what will be covered when a breach occurs and a firm has to notify all those affected.”

Large numbers of companies are therefore turning to their existing directors & officers liability (D&O) insurance policies to cover their third-party expenses.

Such companies should be warned that they still may not be entirely covered against cyber losses. Although D&O side C cover – which covers the company’s own liabilities as a legal entity – can be used “to pick up third-party cyber losses where the company is targeted for any breach”, D&O policies frequently “contain exclusions [that could] prevent the recovery of certain losses”, especially relating to third-party contracts.

Assessing third-party risks

While insurance is one way of reducing the cost of data breaches, it should be remembered that coverage doesn’t make you safer; it just provides a cushion for when you inevitably fall. A sensible approach to addressing cybersecurity risks involves improving cybersecurity throughout the supply chain in order to prevent breaches, rather than shelling out on costly insurance premiums.

The misuse of privileges by insiders and third parties – whether deliberate or accidental – accounted for 85% of data breaches according to Verizon’s 2014 Data Breach Investigations Report. The massive data breaches at Home Depot and Target, for example, were both caused by third parties.

Good information security reduces the risks faced by an organization, whether in-house, or through a third party. If you want to improve the security of your critical information, you need to ensure that everyone in your supply chain exercises the same level of security over your data that you do.

Improving security and reducing premiums with ISO 27001

The international standard ISO 27001 sets out the requirements of a best-practice information security management system (ISMS), a risk-based approach to data security that can be applied throughout the supply chain. Once your ISMS has been certified to the Standard, you can insist that third-party contractors and suppliers also achieve certification. Certification provides evidence to all stakeholders that international best practice is being followed, allows you to meet legal and regulatory obligations, and reduces the risks your business faces.

To see how IT Governance’s fixed-price ISO 27001 Packaged Solutions can help you implement an ISMS in your organization and achieve certification to the Standard whatever your budget or the timescale of your project, click here >>

[i] Such as the loss of or damage to digital assets, and the cost of business interruption, reputational loss, and increased customer churn.
[ii] Such as compensation, notification, or litigation costs.